How to send email for user authentication in PHP

Websites sometimes need to use email verification to prevent users from malicious registration, identity verification and other operations. But how to use PHP backend to send verification emails? This article uses a set of registration examples to explain how PHP sends emails.

One of the most common security verifications in user registration is email verification. According to common industry practices, email verification is a very important practice to avoid potential security risks. Now let us discuss these best practices and see how to create an email verification in PHP.

Let us start with a registration form:

<form method="post" action="http://mydomain.com/registration/">
    <fieldset>
        <label for="fname">First Name:</label>
        <input type="text" name="fname" required />
    </fieldset>
    <fieldset>
        <label for="lname">Last Name:</label>
        <input type="text" name="lname" required />
    </fieldset>
    <fieldset>
        <label for="email">Last name:</label>
        <input type="email" name="email" required />
    </fieldset>
    <fieldset>
        <label for="password">Password:</label>
        <input type="password" name="password" required />
    </fieldset>
    <fieldset>
        <label for="cpassword">Confirm Password:</label>
        <input type="password" name="cpassword" required />
    </fieldset>
    <fieldset>
        <button type="submit">Register</button>
    </fieldset>
</form>

Next is the table structure of the database:

CREATE TABLE IF NOT EXISTS `user` (
    `id` INT(10) NOT NULL AUTO_INCREMENT PRIMARY KEY,
    `fname` VARCHAR(255) ,
    `lname` VARCHAR(255) ,
    `email` VARCHAR(50) ,
    `password` VARCHAR(50) ,
    `is_active` INT(1) DEFAULT '0',
    `verify_token` VARCHAR(255) ,
    `created_at` TIMESTAMP,
    `updated_at` TIMESTAMP,
);

Once this form is submitted, we need to validate the user's input and create a new user:

// Validation rules
$rules = array(
    'fname' => 'required|max:255',
    'lname' => 'required|max:255',
    'email' => 'required',
    'password' => 'required|min:6|max:20',
    'cpassword' => 'same:password'
);
$validator = Validator::make(Input::all(), $rules);
// If input not valid, go back to registration page
if($validator->fails()) {
    return Redirect::to('registration')->with('error', $validator->messages()->first())->withInput();
}
$user = new User();
$user->fname = Input::get('fname');
$user->lname = Input::get('lname');
$user->password = Input::get('password');
// You will generate the verification code here and save it to the database
// Save user to the database
if(!$user->save()) {
    // If unable to write to database for any reason, show the error
    return Redirect::to('registration')->with('error', 'Unable to write to database at this time. Please try again later.')->withInput();
}
// User is created and saved to database
// Verification e-mail will be sent here
// Go back to registration page and show the success message
return Redirect::to('registration')->with('success', 'You have successfully created an account. The verification link has been sent to e-mail address you have provided. Please click on that link to activate your account.');

After registration, the user's account remains invalid until the user's email is verified. This feature confirms that the user is the owner of the entered email address and helps prevent spam and unauthorized email use and information disclosure.

The whole process is very simple - when a new user is created, an email containing a verification link will be sent to the email address filled in by the user during the registration process. Before the user clicks the email verification link and confirms the email address, the user cannot log in and use the website application.

There are several things to note about verified links. The verified link needs to contain a randomly generated token that is long enough and only valid for a certain period of time. This is done to prevent network attacks. At the same time, the email verification also needs to include the user's unique identifier, so as to avoid potential dangers of attacking multiple users.

Now let's see how to generate a verification link in practice:

// We will generate a random 32 alphanumeric string
// It is almost impossible to brute-force this key space
$code = str_random(32);
$user->confirmation_code = $code;

Once this verification is created, store it in the database, Send to user:

Mail::send('emails.email-confirmation', array('code' => $code, 'id' => $user->id), function($message)
{
$message->from('my@domain.com', 'Mydomain.com')->to($user->email, $user->fname . ' ' . $user->lname)->subject('Mydomain.com: E-mail confirmation');
});

Email verification content:

<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8" />
    </head>
    <body>
        <p style="margin:0">
            Please confirm your e-mail address by clicking the following link:
            <a href="http://mydomain.com/verify?code=<?php echo $code; ?>&user=<?php echo $id; ?>"></a>
        </p>
    </body>
</html>

Now let’s verify if it works :

$user = User::where('id', '=', Input::get('user'))
            ->where('is_active', '=', 0)
            ->where('verify_token', '=', Input::get('code'))
            ->where('created_at', '>=', time() - (86400 * 2))
            ->first();
if($user) {
    $user->verify_token = null;
    $user->is_active = 1;
    if(!$user->save()) {
        // If unable to write to database for any reason, show the error
        return Redirect::to('verify')->with('error', 'Unable to connect to database at this time. Please try again later.');
    }
    // Show the success message
    return Redirect::to('verify')->with('success', 'You account is now active. Thank you.');
}
// Code not valid, show error message
return Redirect::to('verify')->with('error', 'Verification code not valid.');

Conclusion:

The code shown above is only a tutorial example and has not been adequately tested. Please test it before using it in your web application. The above code is done in the Laravel framework, but you can easily migrate it to other PHP frameworks. At the same time, the verification link is valid for 48 hours and expires after that. Introducing a work queue can handle expired verification links in a timely manner.

Related recommendations:

php complete verification code code php generate verification code php SMS verification code php verification code code

php Sample code of SMS interface (getting started)

php SMS gateway SMS content cannot have spaces, SMS gateway SMS content_PHP tutorial

The above is the detailed content of How to send email for user authentication in PHP. For more information, please follow other related articles on the PHP Chinese website!